Interest in cyber insurance is expanding rapidly, a top officialof Marsh & McLennan testified before a Senate committee today,with the number of Marsh clients purchasing stand-alone cyberinsurance increasing by more than 20% in just the past year.

The Marsh official also testified that, in the area of cybersecurity, “offense is a lot easier than defense,” that is,companies should be aggressive in taking steps to head off cyberbreaches.

“There is no silver bullet or panacea that will eliminate thisrisk,” said Peter Beshar, Marsh executive vice president andgeneral counsel.

Rather, he said, it will take a “collaborative effort betweengovernment and business and among professionals in differentdisciplines — IT, HR, Legal and Compliance — to assessvulnerabilities and link arms to confront this risk head-on.”

Beshar's testimony came at a hearing on “Protecting PersonalConsumer Information from Cyber Attacks and Data Breaches,” held bythe Senate Committee on Commerce, Science & Transportation.

The hearing was held the day after Sen. John D.Rockefeller, D-W.Va., chairman of the panel, released a reportstating Target “possibly failed” to take advantage of severalopportunities to prevent the massive data breach in 2013 when cybercriminals stole the financial and personal information of as manyas 110 million consumers.

John Mulligan, Target executive vice president and CFO,responded, “With the benefit of hindsight and new information, weare now asking hard questions regarding the judgments that weremade at that time and assessing whether different judgments mayhave led to different outcomes,” Mulligan said.

The report used the “intrusion kill chain” framework developedby Lockheed Martin security researchers in 2011. The report saidthat this tool “suggests” that Target missed a number ofopportunities along the kill chain to stop the attackers andprevent the massive data breach.

Rockefeller used the occasion to highlight legislation herecently introduced, the Data Security and Breach Notification Act.He said enactment of this legislation would, “for the first time,establish strong, federal consumer data security and breachnotification standards.”

Edith Ramirez, chairwoman of the Federal Trade Commission, usedthe hearing to reiterate the FTC's longstanding, bipartisan callfor enactment of a strong federal data security and breachnotification law. “Never has the need for legislation beengreater,” she said. “With reports of data breaches on the rise, andwith a significant number of Americans suffering from identitytheft, Congress must act.”

Marsh's Beshar's testimony highlighted the increasing importanceof cyber-security insurance as an industry product.

He said throughout 2013 cyber-insurance rates remained stable —even as the perception and potential severity of the riskincreased. “This is partly because a number of new underwriters areinterested in providing cyber coverage,” he said, noting theaverage price-per-million dollars of coverage for a cyber policyactually dropped in 2013 in a number of sectors, includingfinancial institutions, utilities and sports and entertainment,while increasing for other sectors, including communications andtransportation.

He said the highest take up rates for cyber insurance are inhealth care, education and financial services. “These industrieshandle a large volume of sensitive personal information, includinghealth-care data, Social Security numbers and credit-cardinformation.”

Beshar also said, “Importantly, a number of cyber coverages alsoprovide access to experts who are available to monitor the client'sinformation security and assist the client to restore operations inthe event of a network attack.” He said these services includetechnical advice from on-call consultants and vulnerabilitydetection to examine network devices.